[1445] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] Missing bugfixes in redhat4.1

daemon@ATHENA.MIT.EDU (Savochkin Andrey Vladimirovich)
Mon Feb 10 02:07:51 1997

From: Savochkin Andrey Vladimirovich <saw@shade.msu.ru>
To: redhat-devel@redhat.com
Date: Sun, 9 Feb 1997 16:15:11 +0300 (MSK)
Cc: linux-security@redhat.com
Reply-To: saw@msu.ru
Resent-From: linux-security@redhat.com

After installing redhat4.1 I found that a few serious bug fixes
announced in Jan 97 was not included in the distribution.

First of them -- a SERIOUS SECURITY BUG in wu-ftpd allowing
any user gain a root acces to files. Patch was posted in redhat-announce
list and included in wu-ftpd-2.4.2b11-9.

Second: a bug in wu-ftpd -- ftpd doesn't perform any log for real user
and ignores corresponding lines in ftpaccess configuration file.
Patch was posted in redhat-devel.

These two patches are placed in
   ftp://shade.msu.ru/pub/linux/utils/wu-ftpd-2.4.2-secure+log.patch

Third: a bug in cracklib, which in certain conditions forces pam_unix_passwd
module to cause segmentation fault instead of authentication (in lucky case)
and performs random memory operations in other cases.
This bu also can be used in attempts to break system security
because one of affected program (passwd) is root-setuid.

Patch was posted in redhat-announce list and can be obtained from
   ftp://shade.msu.ru/pub/linux/libs/cracklib25_small.bugfix.patch

					Andrey V.
					Savochkin


home help back first fref pref prev next nref lref last post